I created an asp portal for my customers. They all access the same website and pass in a tokenid, which is a guid. This guid tells me what company they belong to and what they have access to.
I have the membership provider set up to not allow duplicate email addresses and everyone under the same application. So, with this in mind, I figured I could do the following to allow them to register with more than one company with the same email account.
Create an membership provider application for each tokens (for each company).
Write a script that finds all of the accounts that are based on this guid and place them under appropriate application
Will this work? Will it allow my customers to create a login for each token/company using the same email address?
Thanks for the help!
If you script out
[dbo].[aspnet_Membership_FindUsersByEmail]
, you'll see (the default implementation) is already "separated by application". (because this procedure takes "ApplicationName" as a parameter.
So if you programmatically set the
MembershipProvider.ApplicationName
http://msdn.microsoft.com/en-us/library/system.web.security.membershipprovider.applicationname.aspx
Then you should be able to do what you want.
Here is the signature of the procedure mentioned above:
ALTER PROCEDURE [dbo].[aspnet_Membership_FindUsersByEmail]
#ApplicationName nvarchar(256),
#EmailToMatch nvarchar(256),
#PageIndex int,
#PageSize int
AS
REMINDER:
You do not deal with the stored procedures directly. You use the API of the MembershipProvider.
But here is the simple test.
MembershipProvider mp1 = Membership.Providers["App1"];
mp1.CreateUser (.................. )
MembershipProvider mp2 = Membership.Providers["App2"];
mp2.CreateUser (.................. ) /* use same email */
Now, I think you'll have to define each MembershipProvider (and its name) in your config file.
But here is an MSDN link:
http://msdn.microsoft.com/en-us/library/system.web.security.membershipprovidercollection.item.aspx
Related
I want to find out what key name provided from an external provider my database is using in an encrypted database.
This is an example taken from Microsoft website.
CREATE ASYMMETRIC KEY EKM_askey1
FROM PROVIDER EKM_Provider1
WITH
ALGORITHM = RSA_2048,
CREATION_DISPOSITION = CREATE_NEW
, PROVIDER_KEY_NAME = 'key10_user1' ;
GO
But I don't know how to learn whether this is CREATE_NEW or OPEN_EXISTING and have no clue what view contains information about this key10_user1 as mentioned in the example.
Could you try:
SELECT * FROM sys.cryptographic_providers;
to get the provider id and then query using sys.dm_cryptographic_provider_keys:
SELECT * FROM sys.dm_cryptographic_provider_keys(1234567);
GO
I'm creating a new report (*.rdl), and there I want to add username who runs the script (insert).
I've tried on VS2008 through "built-in-fields" function which is "User ID", but it didn't work:
CREATE TABLE #Some_Table
(
Plan_date date null,
Plan_customer int null,
creator_id nvarchar(55) null
)
INSERT INTO Some_Table
(
[Plan_date] ,
[Plan_customer],
[creator_id]
)
SELECT
#p_plan_monthly,
#p_plan_clients,
#creator_id ="user id" --from built-in-fields
Expected result is: Column creator_id is filling with value of username from active directory who made insert through my report.
To reiterate my comment, as it's is incredibly important:
"You need to use a different account to access your data #whitefang. The sa account should never be used for something as mundane as a report. In truth it should never be used unless you really need sysadmin privileges, or you're doing something like recovering the server. You should have a service account that can do the respective tasks it needs to. If you can suffer injection through those reports, you're service is like an open book to whomever has access."
Now, onto your problem. I would add a further internal parameter on your report. Change the value of the parameter to have the default value of =User!UserID; this will be the ID of the user running the report (perhaps something like StackOverflow\Larnu).
Then map that report parameter to your dataset parameter #creator_id and change your INSERT statement to:
INSERT INTO Some_Table ([Plan_date],
[Plan_customer],
[creator_id])
VALUES (#p_plan_monthly, #p_plan_clients, #creator_id);
Q: "and there I want to add username who runs the script (insert)"
You can use these functions.
-- database user name
SELECT USER_NAME()
-- login identification name
SELECT SUSER_NAME()
I am an IS auditor and I would like to check how we can retrieve the PASSWORD_VERIFY_FUNCTION assigned to users. I understand the script utlpwdmg.sql can be executed to setup the default password resource limits.
If changes were made using ALTER PROFILE, the script utlpwdmg.sql will not show the latest settings.
Please let me know what SQL commands I can execute to show what is the PASSWORD_VERIFY_FUNCTION stored and used in the system.
You can use this query to see source code of stored proc:
--Source of all password functions.
select *
from dba_source
where owner = 'SYS'
and name in
(
--The name of all password functions in use.
--See DBA_USERS.PROFILE to determine which user is using which profile.
select limit
from dba_profiles
where resource_name = 'PASSWORD_VERIFY_FUNCTION'
--Yes, this is intentionally the string 'NULL', that's what Oracle uses here.
and limit <> 'NULL'
)
order by name, line;
To find out what users are using PASSWORD_VERIFY_FUNCTION, you need to find out which profiles are using the function and then see which users are assigned that profile.
select profile from dba_profiles where limit = 'PASSWORD_VERIFY_FUNCTION';
select username from dba_users where profile = ;
I created a new superuser just so that this user can run COPY command.
Note that a non-superuser cannot run a copy command.
I need this user due to a backup application, and that application requires to run COPY command
But all the restrictions that I specified does not take effect (see below).
What is the difference between user postgres and a superuser?
And is there a better way to achieve what I want? I looked into a function with security definer as postgres ... that seems a lot of work for multiple tables.
DROP ROLE IF EXISTS mynewuser;
CREATE ROLE mynewuser PASSWORD 'somepassword' SUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT LOGIN;
-- ISSUE: the user can still CREATEDB, CREATEROLE
REVOKE UPDATE,DELETE,TRUNCATE ON ALL TABLES IN SCHEMA public, schema1, schema2, schema3 FROM mynewuser;
-- ISSUE: the user can still UPDATE, DELETE, TRUNCATE
REVOKE CREATE ON DATABASE ip2_sync_master FROM mynewuser;
-- ISSUE: the user can still create table;
You are describing a situation where a user can write files to the server where the database runs but is not a superuser. While not impossible, it's definitely abnormal. I would be very selective about who I allow to access my DB server.
That said, if this is the situation, I'd create a function to load the table (using copy), owned by the postgres user and grant the user rights to execute the function. You can pass the filename as a parameter.
If you want to get fancy, you can create a table of users and tables to define what users can upload to what tables and have the table name as a parameter also.
It's pretty outside of the norm, but it's an idea.
Here's a basic example:
CREATE OR REPLACE FUNCTION load_table(TABLENAME text, FILENAME text)
RETURNS character varying AS
$BODY$
DECLARE
can_upload integer;
BEGIN
select count (*)
into can_upload
from upload_permissions p
where p.user_name = current_user and p.table_name = TABLENAME;
if can_upload = 0 then
return 'Permission denied';
end if;
execute 'copy ' || TABLENAME ||
' from ''' || FILENAME || '''' ||
' csv';
return '';
END;
$BODY$
LANGUAGE plpgsql VOLATILE
COST 100;
COPY with option other than writing to STDOUT and reading from STDIN is only allowed for database superusers role since it allows reading or writing any file that the server has privileges to access.
\copy is a psql client command which serves the same functionality as COPY but is not server-sided, so only local files can be processed - meaning it invokes COPY but ... FROM STDIN / ... TO STDOUT, so that files on a server are not "touched".
You can not revoke specific rights from a superuser. I'm quoting docs on this one:
Docs: Access DB
Being a superuser means that you are not subject to access controls.
Docs: CREATE ROLE
"superuser", who can override all access restrictions within the database. Superuser status is dangerous and should be used only when really needed.
I have Users table to store user details with password and the authentication for the Application is working good with this.
But we want to integrate Facebook and Google Login in our system so please advise the related schema modifications.
CREATE TABLE dbo.Users(
UserId int IDENTITY(1, 1) PRIMARY KEY,
UserTypeId int, -- Admin = 1, End User = 2. (We have a master table for this, but eliminating here for simplicity)
UserName nvarchar(16) NOT NULL UNIQUE,
UserPassword nvarchar(16),
FirstName nvarchar(64),
LastName nvarchar(64),
DateOfBirth date,
Gender char(1),
PhoneNumber nvarchar(16),
Email nvarchar(128) UNIQUE,
IsActive bit,
UpdateTime datetime default CURRENT_TIMESTAMP )
Here is what I am thinking:
1) Once the user authenticated from Facebook or Google then the application will have claims (emailId)
2) The application should validate the emailId existence in Users Table and if exists it will allow login.
Q1> So will this require any update for the existing Row in Users Table?
Q2> If the user record does not exists (based on emailId claim record) then I think we should add the new record in users table?
Q3> In case of Add: What will be the Username and Password values?
Q4> Can the user (the added record) do a normal login without Facebook login?
Thanks.
In order to accept OpenID logins, you will have to accept and store the users' OpenID-URLs. This URL identifies the user just like an email address does.
Q1: Depends: If you want to allow both OpenID-logins and normal login for the same user, you will have to add another column to the table. If you don't allow mixed logins, you could use your Email column to store the OpenID URL.
Q2: Yes, if you see a new OpenID-URL, handle it just like an unknown email address
Q3: You will have to ask the user to pick a username - I assume you do the same for your current users. If you want to allow both logins for the same user, you will have to ask the user to set a password - otherwise they can only login through their OpenID provider.
Q4: Only if you did ask for a username and a password (see Q3)
Please note that allowing the same user to login through OpenID and using conventional username/password introduces potential security problem: A user might not unserstand that you're asking them to set a password and enter their Facebook (or Google) password. Or they might just not care and use the same password everywhere. If they do so and your database does not encrypt the password properly, your database will store the Facebook names and unencrypted passwords... even if just 10% used the same password on your site - just imagine what they could do with that.